Simultaneous-Use and UserName sent from NAS

Ziggy Bopster ziggybopster at gmail.com
Thu Jun 9 21:26:17 CEST 2011


Hello All,

I am want to enable Simultaneous-Use for our users.  I have been stuck
for many many days trying to figure this out, any help is greatly
appreciated.  This is my first time posting, so sorry if my netiquette
is not correct

I.  Configuration of System:
FreeRADIUS Version 2.1.1, built on May  9 2010 at 12:09:29
Novell SUSE Linux Enterprise Server 11 SP1
Cisco Wireless AP's
Cisco Wireless Controller - Cisco 4400 Series
Authentication using Novell e-Directory LDAP
Protocol - EAP-PEAP MSCHAPV2
mysql 5.0.67 is installed and radius database is created with correct schema

II.  Description:
I am using Free Radius to authenticate Wireless Users.
Users are authenticated to the SSID by entering in their LDAP
Username/Password (stored in Novell e-Directory)
The users are using the standard WPA2 client on Windows machines (with
the EAP-PEAP MSCHAPv2  Protocol)
In addition, I have enabled checkval module to Check for Valid MAC
Addresses & DialupAccess=TRUE

III.  Problem:
In looking at the debug logs, randomly generated UserName
Accounting-Request packets are being sent from the NAS to the
FreeRADIUS, before and after the successful authentication of the
UserName (ziggy) using the EAP-PEAP-MSCHAPV2 protocol (during which
time the correct UserName is sent by NAS).    When I issue the radwho
command or look at the RADACCT tables, I see the randomly generated
UserNames in both tables.    But when I check in the radpostauth
table, I see the UserName (Ziggy) in it.

vm-32laars:/var/tmp # radwho
Login      Name              What  TTY  When      From            Location
8c58770ca7 8c58770ca708      shell S29  Wed 10:55 10.32.156.5

vm-32laars:/var/tmp # radwho
Login      Name              What  TTY  When      From            Location
d830628b05 d830628b050e      shell S29  Wed 10:56 10.32.156.5

mysql> select * from radpostauth;
+----+-----------+---------+---------------+---------------------+
| id | username  | pass    | reply         | authdate            |
+----+-----------+---------+---------------+---------------------+
| 28 | ziggy     |         | Access-Accept | 2011-06-08 10:54:22 |
+----+-----------+---------+---------------+---------------------+

mysql>  select * from radacct order by RadAcctID desc limit 1;
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----

---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------

-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------

----+----------------+---------------+----------------------+
| radacctid | acctsessionid                    | acctuniqueid     |
username     | groupname | realm | nasipaddress | nasportid | nas
                  porttype | acctstarttime       | acctstoptime
| acctsessiontime | acctauthentic | connectinfo_start |
connectinfo_stop | accti                        nputoctets |
acctoutputoctets | calledstationid | callingstationid |
acctterminatecause | servicetype | framedprotocol | framedipaddr
                 ess | acctstartdelay | acctstopdelay |
xascendsessionsvrkey |
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----

---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------

-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------
                       ----+----------------
+---------------+----------------------+
|     10247 | 4defbb0d/8c:7b:9d:9f:d4:16/12409 | 60370f84e1b169c1 |
8c7b9d9fd416 |           |       | 10.32.156.5  | 29        |
                           | 2011-06-08 10:55:51 | NULL
|               0 | Remote        |                   |
  |                                       0 |                0 |
10.32.156.5     | 0.0.0.0          |                    |
|                |                                         |
   0 |             0 |                      |
|     10246 | 4defb9c7/8c:58:77:0c:a7:08/12392 | e19aebd88b0eafbf |
8c58770ca708 |           |       | 10.32.156.5  | 29        |
                           | 2011-06-08 10:50:24 | 2011-06-08 10:55:37
|             313 | Remote        |                   |
  |                                   21002 |             3206 |
10.32.156.5     | 0.0.0.0          | User-Request       |
|                |                                         |
   0 |             0 | NULL                 |
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----

---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------

-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------

----+----------------+---------------+----------------------+


IV.  Questions:
1) Why is the NAS sending so many randomly generated numeric
"UserName" in the Accounting-Request?
2) How can I get the NAS to send the correct Username (Ziggy) instead
of the randomly generated numbers in the Accounting-Request packets to
update in SQL?
3) I'm confused, should I use radutmp or sql to get Simultaenous-Use
to work?  If only sql, can I disable radutmp in configuration files?
4) What do I need to do to get Simultaneous-Use to work properly?
5) Should the default & inner-tunnel files that have the same
parameters match? (i.e. in authorize {sql} in the default file and the
authorize {sql} in the inner-tunnel file)
6) Why do I see so many packets for Ziggy trying to authenticate just
once..   It is not until about Line 1389 in the debug log (see below
ITEM# 6) that the tunnel actually get's established and the next
packet on Line 1453 has the Acct-Status-Type = Start?    There is a
total of about 3174 lines for just one login attempt.


V:  Configuration relating to Simulatenous-Use:
===================================================================
/etc/raddb/sites-enabled/default
===================================================================
authorize {
        preprocess
        chap
        mschap
        suffix
        eap {
                ok = return
        }
        unix
        ldap
        sql
        checkval
        expiration
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        Auth-Type LDAP {
                ldap
        }
        eap
}

preacct {
        preprocess
        acct_unique
        suffix
        files
}

accounting {
        detail
        unix
        radutmp
        sql
        attr_filter.accounting_response
}


session {
        radutmp
        sql
}

post-auth {
        sql
        ldap
        exec
        Post-Auth-Type REJECT {
                ldap
                attr_filter.access_reject
        }
}


pre-proxy {
}

post-proxy {
        eap
}

===================================================================
/etc/raddb/sites-enabled/inner-tunnel
===================================================================
authorize {
        chap
        mschap
        unix
        suffix
        update control {
               Proxy-To-Realm := LOCAL
        }
        eap {
                ok = return
        }
        ldap
        #sql
#       checkval
        expiration
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }

        unix
        Auth-Type LDAP {
                ldap
        }
        eap
}

session {
        radutmp
        sql
}



post-auth {
#       sql
#       sql_log
        ldap
        Post-Auth-Type REJECT {
                attr_filter.access_reject
                ldap
        }
        update outer.reply {
                User-Name = "%{request:User-Name}"
        }
}

pre-proxy {
}

post-proxy {
        eap
}

} # inner-tunnel server block



===================================================================
/etc/raddb/sql.conf
===================================================================
sql {
        database = "mysql"
        driver = "rlm_sql_${database}"
        server = "localhost"
        login = "radius"
        password = "password"
        radius_db = "radius"
        acct_table1 = "radacct"
        acct_table2 = "radacct"
        postauth_table = "radpostauth"
        authcheck_table = "radcheck"
        authreply_table = "radreply"
        groupcheck_table = "radgroupcheck"
        groupreply_table = "radgroupreply"
        usergroup_table = "radusergroup"
        deletestalesessions = yes
        sqltrace = no
        sqltracefile = ${logdir}/sqltrace.sql
        num_sql_socks = 5
        connect_failure_retry_delay = 60
        #readclients = yes
        nas_table = "nas"
        $INCLUDE sql/${database}/dialup.conf
}

===================================================================
/etc/raddb/sql/mysql/dialup.conf
===================================================================
        #######################################################################
        # Simultaneous Use Checking Queries
        #######################################################################
        # simul_count_query     - query for the number of current connections
        #                       - If this is not defined, no
simultaneouls use checking
        #                       - will be performed by this module instance
        # simul_verify_query    - query to return details of current
connections for verification
        #                       - Leave blank or commented out to
disable verification step
        #                       - Note that the returned field order
should not be changed.
        #######################################################################
        # Uncomment simul_count_query to enable simultaneous use checking
        simul_count_query = "SELECT COUNT(*) \
                             FROM ${acct_table1} \
                             WHERE username = '%{SQL-User-Name}' \
                             AND acctstoptime IS NULL"

        simul_verify_query  = "SELECT radacctid, acctsessionid, username, \
                               nasipaddress, nasportid, framedipaddress, \
                               callingstationid, framedprotocol \
                               FROM ${acct_table1} \
                               WHERE username = '%{SQL-User-Name}' \
                               AND acctstoptime IS NULL"

===================================================================
/etc/raddb/eap.conf
===================================================================
eap {
  default_eap_type = peap
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 2048

  md5 {
  }

  leap {
  }

  tls {
    certdir = ${confdir}/certs
    cadir = ${confdir}/certs
    private_key_file = ${certdir}/serverkey.key
    certificate_file = ${certdir}/servercert.cert
    dh_file = ${certdir}/dh
    random_file = ${certdir}/random
    cipher_list = "DEFAULT"
    make_cert_command = "${certdir}/bootstrap"
    cache {
    enable = no
    max_entries = 255
  }

  ttls {
    default_eap_type=md5
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
  }

  peap {
    default_eap_type = mschapv2
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    virtual_server = "inner-tunnel"
  }

    mschapv2 {
  }
}



====================================================
VI:  Here is the DEBUG LOG (sorry there are so many lines)
====================================================
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on May
9 2010 at 12:09:29
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "testing123"
	nastype = "other"
 }
 client 10.32.156.5/32 {
	require_message_authenticator = no
	secret = "code"
	shortname = "cw32ce0a.wifi.nm.ci.la.ca.us"
	nastype = "cisco"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
 }
 home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"
	secret = "testing123"
	response_window = 20
	max_outstanding = 65536
	zombie_period = 40
	status_check = "status-server"
	ping_interval = 30
	check_interval = 30
	num_answers_to_alive = 3
	num_pings_to_alive = 3
	revive_interval = 120
	status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
	use_mppe = yes
	require_encryption = yes
	require_strong = yes
	with_ntdomain_hack = yes
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_ldap
 Module: Instantiating ldap
  ldap {
	server = "10.32.197.139"
	port = 636
	password = "Password"
	identity = "cn=admin,o=RALDAP"
	net_timeout = 1
	timeout = 4
	timelimit = 3
	tls_mode = yes
	start_tls = no
	tls_require_cert = "allow"
   tls {
	start_tls = no
	cacertfile = "/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64"
	require_cert = "demand"
   }
	basedn = "ou=users,o=RALDAP"
	filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
	base_filter = "(objectclass=radiusprofile)"
	password_attribute = "nspmPassword"
	auto_header = no
	access_attr = "dialupAccess"
	access_attr_used_for_allow = yes
	groupname_attribute = "cn"
	groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
	dictionary_mapping = "/etc/raddb/ldap.attrmap"
	ldap_debug = 40
	ldap_connections_number = 5
	compare_check_items = no
	do_xlat = yes
	edir_account_policy_check = yes
	set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0xb7961d90
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
	default_eap_type = "peap"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
	make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = yes
	use_tunneled_reply = yes
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
	filename = "/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Linked to module rlm_sql
 Module: Instantiating sql
  sql {
	driver = "rlm_sql_mysql"
	server = "localhost"
	port = ""
	login = "radius"
	password = "password"
	radius_db = "radius"
	read_groups = yes
	sqltrace = no
	sqltracefile = "/var/log/radius/sqltrace.sql"
	readclients = no
	deletestalesessions = yes
	num_sql_socks = 5
	sql_user_name = "%{User-Name}"
	default_user_profile = ""
	nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
	authorize_check_query = "SELECT id, username, attribute, value, op
       FROM radcheck           WHERE username = '%{SQL-User-Name}'
      ORDER BY id"
	authorize_reply_query = "SELECT id, username, attribute, value, op
       FROM radreply           WHERE username = '%{SQL-User-Name}'
      ORDER BY id"
	authorize_group_check_query = "SELECT id, groupname, attribute,
    Value, op           FROM radgroupcheck           WHERE groupname =
'%{Sql-Group}'           ORDER BY id"
	authorize_group_reply_query = "SELECT id, groupname, attribute,
    value, op           FROM radgroupreply           WHERE groupname =
'%{Sql-Group}'           ORDER BY id"
	accounting_onoff_query = "          UPDATE radacct           SET
        acctstoptime       =  '%S',              acctsessiontime    =
unix_timestamp('%S') -
unix_timestamp(acctstarttime),              acctterminatecause =
'%{Acct-Terminate-Cause}',              acctstopdelay      =
%{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL
 AND nasipaddress      =  '%{NAS-IP-Address}'           AND
acctstarttime     <= '%S'"
	accounting_update_query = "           UPDATE radacct           SET
          framedipaddress = '%{Framed-IP-Address}',
acctsessiontime     = '%{Acct-Session-Time}',
acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |
                           '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
                           '%{%{Acct-Output-Octets}:-0}'
WHERE acctsessionid = '%{Acct-Session-Id}'           AND username
  = '%{SQL-User-Name}'           AND nasipaddress    =
'%{NAS-IP-Address}'"
	accounting_update_query_alt = "           INSERT INTO radacct
    (acctsessionid,    acctuniqueid,      username,
realm,            nasipaddress,      nasportid,
nasporttype,      acctstarttime,     acctsessiontime,
acctauthentic,    connectinfo_start, acctinputoctets,
acctoutputoctets, calledstationid,   callingstationid,
servicetype,      framedprotocol,    framedipaddress,
acctstartdelay,   xascendsessionsvrkey)           VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',              '%{NAS-Port-Type}',
DATE_SUB('%S',                       INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}',              '%{Acct-Authentic}', '',
    '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}',
'%{Calling-Station-Id}',              '%{Service-Type}',
'%{Framed-Protocol}',              '%{Framed-IP-Address}',
 '0', '%{X-Ascend-Session-Svr-Key}')"
	accounting_start_query = "           INSERT INTO radacct
(acctsessionid,    acctuniqueid,     username,              realm,
       nasipaddress,     nasportid,              nasporttype,
acctstarttime,    acctstoptime,              acctsessiontime,
acctauthentic,    connectinfo_start,              connectinfo_stop,
acctinputoctets,  acctoutputoctets,              calledstationid,
callingstationid, acctterminatecause,              servicetype,
framedprotocol,   framedipaddress,              acctstartdelay,
acctstopdelay,    xascendsessionsvrkey)           VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,
  '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0',
'0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
             '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
	accounting_start_query_alt = "           UPDATE radacct SET
   acctstarttime     = '%S',              acctstartdelay    =
'%{%{Acct-Delay-Time}:-0}',              connectinfo_start =
'%{Connect-Info}'           WHERE acctsessionid  =
'%{Acct-Session-Id}'           AND username         =
'%{SQL-User-Name}'           AND nasipaddress     =
'%{NAS-IP-Address}'"
	accounting_stop_query = "           UPDATE radacct SET
acctstoptime       = '%S',              acctsessiontime    =
'%{Acct-Session-Time}',              acctinputoctets    =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
    '%{%{Acct-Output-Octets}:-0}',              acctterminatecause =
'%{Acct-Terminate-Cause}',              acctstopdelay      =
'%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   =
'%{Connect-Info}'           WHERE acctsessionid   =
'%{Acct-Session-Id}'           AND username          =
'%{SQL-User-Name}'           AND nasipaddress      =
'%{NAS-IP-Address}'"
	accounting_stop_query_alt = "           INSERT INTO radacct
  (acctsessionid, acctuniqueid, username,              realm,
nasipaddress, nasportid,              nasporttype, acctstarttime,
acctstoptime,              acctsessiontime, acctauthentic,
connectinfo_start,              connectinfo_stop, acctinputoctets,
acctoutputoctets,              calledstationid, callingstationid,
acctterminatecause,              servicetype, framedprotocol,
framedipaddress,              acctstartdelay, acctstopdelay)
VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
             '%{SQL-User-Name}',              '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',
           DATE_SUB('%S',                  INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),              '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}',              '%{%{Acct-Input-Gigawords}:-0}' << 32
|              '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}',
'%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',
       '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',              '0', '%{%{Acct-Delay-Time}:-0}')"
	group_membership_query = "SELECT groupname           FROM
radusergroup           WHERE username = '%{SQL-User-Name}'
ORDER BY priority"
	connect_failure_retry_delay = 60
	simul_count_query = "SELECT COUNT(*)
FROM radacct                              WHERE username =
'%{SQL-User-Name}'                              AND acctstoptime IS
NULL"
	simul_verify_query = "SELECT radacctid, acctsessionid, username,
                          nasipaddress, nasportid, framedipaddress,
                            callingstationid, framedprotocol
                     FROM radacct                                WHERE
username = '%{SQL-User-Name}'                                AND
acctstoptime IS NULL"
	postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate)                           VALUES (
                        '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
	safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius at localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
  }
 }
}
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
	huntgroups = "/etc/raddb/huntgroups"
	hints = "/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_checkval
 Module: Instantiating checkval
  checkval {
	item-name = "Calling-Station-Id"
	check-name = "Calling-Station-Id"
	data-type = "string"
	notfound-reject = yes
  }
rlm_checkval: Registered name Calling-Station-Id for attribute 31
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
	usersfile = "/etc/raddb/users"
	acctusersfile = "/etc/raddb/acct_users"
	preproxy_usersfile = "/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
	detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=93, length=153
	User-Name = "9027e444744e"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 1
	Acct-Session-Id = "4defba9b/90:27:e4:44:74:4e/12402"
	Acct-Authentic = Remote
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	Acct-Status-Type = Start
	Calling-Station-Id = "0.0.0.0"
	Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defba9b/90:27:e4:44:74:4e/12402",User-Name = "9027e444744e"'
[acct_unique] Acct-Unique-Session-ID = "b893f021ffab4937".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "9027e444744e", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] 	expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] 	expand: %t -> Wed Jun  8 10:54:07 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] 	expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] 	expand: %{User-Name} -> 9027e444744e
++[radutmp] returns ok
[sql] 	expand: %{User-Name} -> 9027e444744e
[sql] sql_set_user escaped user --> '9027e444744e'
[sql] 	expand: %{Acct-Delay-Time} ->
[sql] 	expand:            INSERT INTO radacct
(acctsessionid,    acctuniqueid,     username,              realm,
       nasipaddress,     nasportid,              nasporttype,
acctstarttime,    acctstoptime,              acctsessiontime,
acctauthentic,    connectinfo_start,              connectinfo_stop,
acctinputoctets,  acctoutputoctets,              calledstationid,
callingstationid, acctterminatecause,              servicetype,
framedprotocol,   framedipaddress,              acctstartdelay,
acctstopdelay,    xascendsessionsvrkey)           VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,
  '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0',
'0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
             '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[attr_filter.accounting_response] 	expand: %{User-Name} -> 9027e444744e
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 93 to 10.32.156.5 port 32768
Finished request 1.
Cleaning up request 1 ID 93 with timestamp +2
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=95, length=153
	User-Name = "a467068f617f"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 1
	Acct-Session-Id = "4defbaad/a4:67:06:8f:61:7f/12403"
	Acct-Authentic = Remote
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	Acct-Status-Type = Start
	Calling-Station-Id = "0.0.0.0"
	Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defbaad/a4:67:06:8f:61:7f/12403",User-Name = "a467068f617f"'
[acct_unique] Acct-Unique-Session-ID = "a96fb9b5775cab4f".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "a467068f617f", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] 	expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] 	expand: %t -> Wed Jun  8 10:54:14 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] 	expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] 	expand: %{User-Name} -> a467068f617f
++[radutmp] returns ok
[sql] 	expand: %{User-Name} -> a467068f617f
[sql] sql_set_user escaped user --> 'a467068f617f'
[sql] 	expand: %{Acct-Delay-Time} ->
[sql] 	expand:            INSERT INTO radacct
(acctsessionid,    acctuniqueid,     username,              realm,
       nasipaddress,     nasportid,              nasporttype,
acctstarttime,    acctstoptime,              acctsessiontime,
acctauthentic,    connectinfo_start,              connectinfo_stop,
acctinputoctets,  acctoutputoctets,              calledstationid,
callingstationid, acctterminatecause,              servicetype,
framedprotocol,   framedipaddress,              acctstartdelay,
acctstopdelay,    xascendsessionsvrkey)           VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,
  '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0',
'0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
             '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.accounting_response] 	expand: %{User-Name} -> a467068f617f
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 95 to 10.32.156.5 port 32768
Finished request 2.
Cleaning up request 2 ID 95 with timestamp +9
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=249, length=184
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x0202000a017a69676779
	Message-Authenticator = 0x2d7411a0a70277876c359c8b4d67b798
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[ldap] 	expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] 	expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.32.197.139:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to
/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=admin,o=RALDAP/novell to 10.32.197.139:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
[sql] 	expand: %{User-Name} -> ziggy
[sql] sql_set_user escaped user --> 'ziggy'
rlm_sql (sql): Reserving sql socket id: 1
[sql] 	expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'ziggy'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'ziggy'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
[sql] User ziggy not found
++[sql] returns notfound
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-fa-a1-ba-e8
rlm_checkval: Value Name: Calling-Station-Id, Value: 78-ca-39-b9-12-f9
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-22-fa-a1-ba-e8
++[checkval] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 249 to 10.32.156.5 port 32768
	EAP-Message = 0x010300061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83e623a5da78451212e3283d83
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=250, length=311
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x0203007719800000006d16030100680100006403014defbab394ef0bf49e249034a8f7bd9769a69976d1734654ad86542a75ed2b32000018002f00350005000ac013c014c009c00a003200380013000401000023ff010001000000000a00080000057a69676779000a0006000400170018000b00020100
	State = 0xe620bc83e623a5da78451212e3283d83
	Message-Authenticator = 0x67139174caeb2bd6111e66658ae9da26
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 119
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 109
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0068], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 250 to 10.32.156.5 port 32768
	EAP-Message = 0x0104040019c0000008a216030100310200002d03014defb74eca097d9d5f9de12b27867f05bb279f3b41b0d5f096742ed43b4205cd00002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
	EAP-Message = 0x74686f72697479301e170d3130303632393139323834315a170d3131303632393139323834315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d6469eb536013124569539d3e8c186e90de7d9ef492251ea1d694337fb2d4fcd4492d29a54e25740af4fc9580a88a4bc2f9e8ddc72a088
	EAP-Message = 0x4910b9ffc1b899aea0078060c00099336a3260cf793fc7df0a1dabea863a017762807644fb82c3ffe5a82547ef57766021e53c9c9b1a1cd7b47f559854dce22812f752bd20f7a7d9280f68ad65f2d30909dcb38ab41921433fcb696c63dbad3b49a5f32ee13ec68ffa1af9662b0dbec130c3469281874ad71857141c6a935803e2ae72fd48c5c65ebfbf39cba8c76a89f25a6785ed61a8c4826d6092cfe55fbb6fb2d29aec987ec551078ac689469c07d3ecb16f9e3b04bc6cfa004fbeb5c05a057f6938850ec18fbf0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101002059
	EAP-Message = 0xe7ff00e87350fe0b3266f50fa368ebdb9c8124b1cc9e6e07db3d5f495a4ab344ebb45f50770ed6c1723a43533f924e12d79d0d4982a1ae3b03923b97d0f767452c6995a6a523157d250ba3b918e598e93b4b87501e1b022b6e130d8ffc762c5a3d4035d8cdb057ac0fd12bd06a976618d88fc46efafbc990aa9a295fcd8b70f6c48139fdff53c35e0fb38c4db1f10f56054082aa53ce9e7c9bc5d5cbaa9eaf705ad917edee420c59ad70f658994fe18469e213085ca638ead1e8bd72a9e721901034a57d33badbe54bb92476bab7d89ff4c87882bf4f8114c812afc320b1dd68b9683011d32a46b4f17192e56c92ef213f99f6c6b7464103ecea2b0171
	EAP-Message = 0x020004ab308204a73082038f
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83e724a5da78451212e3283d83
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=251, length=198
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x020400061900
	State = 0xe620bc83e724a5da78451212e3283d83
	Message-Authenticator = 0x05e641c1ed2dbfb0b9a0bc003ded62a0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 251 to 10.32.156.5 port 32768
	EAP-Message = 0x010503fc1940a003020102020900ec81d7fdbd08b57f300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303632393139323834315a170d3130303732393139323834315a308193310b3009060355040613024652310f300d0603550408130652616469757331
	EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c503568c9100eb4a533106a33bd1908feb4a8324db7e26fb401a9a01bd2f9834a7230b260e386dbecb5726d12d5a360d182bacc25cf8768a8c876598089c054cdf7fdd5b03241a2761a1ca0a970d820f0db8c79c16cc8c2704e0d07f1a9ab05060c7dc42cd01db61
	EAP-Message = 0x6c5d107c8046cd2ef12e233bd35a4e2b477676934e34ac5813c75f4dc23301fece997d5aa08123c84b543cd45bc65fa9f1a3e8ef217d4b9f5d88e82eca7f1539946f4fd105b06d7211d2d65af67f266c9f1eb30248a56f2e26d0019a5c1ea497f4d0e7f547f8c61d2944de1551387b563e8481dbd7276fbaa0a6451ef65777c9cb3b6951f6efed6c5f696f08a03f2980779f90ff5dffdf7f0203010001a381fb3081f8301d0603551d0e0416041476cfd1a77faaafd0b29217ddec7f9888590af0f43081c80603551d230481c03081bd801476cfd1a77faaafd0b29217ddec7f9888590af0f4a18199a48196308193310b300906035504061302465231
	EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ec81d7fdbd08b57f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005b833733cc74015c776e5318978ffde37ceae715464c1183b82463c95957bc61c72d783a923fe70884a01208a04749183f0afc1393284259b0e848605447a7723437701d8a495f9130c6fb
	EAP-Message = 0xfd2a7aac200acb6a
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83e425a5da78451212e3283d83
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=252, length=198
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x020500061900
	State = 0xe620bc83e425a5da78451212e3283d83
	Message-Authenticator = 0x2bd996782a861ab5f0e4318920573ce9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 252 to 10.32.156.5 port 32768
	EAP-Message = 0x010600bc1900f2ab17a522f98a0885febb4ff3cb657112b10067895f114462e116b84ff52e461aaa436d80c5cc1184d51c44b67c3c648257a0929a4f6c4d895b47930901d4fe1576ed3296df98e3d9edd900aa0a41a39653932d77f570c5599129b33d1bf32cabf0dffa0ab0c366c5fcdb6f3d65a12df7269b9bb211c9feb0284e064ff51a1eadb7105302f0f2e1a57195e4522c1f26739b2da61de91672163a418fe25d17caa3446a139fed55c8d98cf3b04416030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83e526a5da78451212e3283d83
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=253, length=530
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x0206015019800000014616030101061000010201006a27393ec43fea150a039f85ea376f584f8dc0069188328100ef31e34922ea71afc7bad9dcd521344a965f0bc349ca5b3f3ad1d8a110d985f6b3b37a562d7bf6e30422b56b4024a56b0e0caf08657680edca70fd5cfca3cac7b2b64fc21e1df7497888ace8a91a26325fb8297010a5ad6675aa89dc6a226a37e010880c28d7b071e1c9bec2b0fc532e1128992e47add8591a7056a942d6e48e8b0233a9a3384e51a4107105854a10dd61d441881f66c6adb6d9bfefa5e6adea93b2e4c58cee49b85446252a7a1dd4e63360023373983eeec36e27c7001511b4ea598b61d1c0fee7c78f1a012825f1
	EAP-Message = 0x6a0da33f23a3db2b18e6a04e0f1c5821902a7f3b6d0c25a71403010001011603010030a93820cff9e6253dac65d3a219b134eb2fc85813c46c9203fdb38dd047e41e5b182733893ca45f6f4aba93a4d969338c
	State = 0xe620bc83e526a5da78451212e3283d83
	Message-Authenticator = 0x5fadc4968a75cf5dffcdb32871abe493
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 253 to 10.32.156.5 port 32768
	EAP-Message = 0x01070041190014030100010116030100303b450ec40b7584ae543440d814c44ae8e40f26ec51f917cb1bf1ca87ee319929d82566eb8c874843b7f2c270821b9a72
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83e227a5da78451212e3283d83
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=254, length=198
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x020700061900
	State = 0xe620bc83e227a5da78451212e3283d83
	Message-Authenticator = 0x6711b49c21e05d9d0471f5cada5a673e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.32.156.5 port 32768
	EAP-Message = 0x0108002b19001703010020d615b42fdceaf564c2458858918d9d99fa2a59075262b3b911249b9dbdaf854e
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83e328a5da78451212e3283d83
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=255, length=235
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x0208002b1900170301002080e7daa50845a9cfa553bd5a213b34c81a694936a8086e9c41e845c2ee13adbe
	State = 0xe620bc83e328a5da78451212e3283d83
	Message-Authenticator = 0xa23930f64ee0f25f0138d3be32faf555
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - ziggy
[peap] Got tunnled request
	EAP-Message = 0x0208000a017a69676779
server (null) {
  PEAP: Got tunneled identity of ziggy
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to ziggy
Sending tunneled request
	EAP-Message = 0x0208000a017a69676779
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[ldap] 	expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] 	expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x0109001f1a0109001a107c3fb260e0ff5fca049a623efeb652427a69676779
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7f5c17f37f550df77f9cb88e74ec1077
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x0109001f1a0109001a107c3fb260e0ff5fca049a623efeb652427a69676779
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7f5c17f37f550df77f9cb88e74ec1077
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 255 to 10.32.156.5 port 32768
	EAP-Message = 0x0109003b190017030100302ea4cc7d7bc8bdbbf752876a38a688a14fd819c650d6a76d55e9711dda0cdde12b238d04624ddc997de86bcd1d6a54a6
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83e029a5da78451212e3283d83
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=0, length=299
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x0209006b190017030100606c7749f02b0698602b4d8c7391ead7367cb14ddbeaa33c1c345483f86a7a61965498be6823c24a50d0ee61499687e9b278e72700e5fb2c48d76db4393365e13bb5624897e58a7160a8164ba77d0ad762ae4dd872fb91b201aea14cdb08b127ec
	State = 0xe620bc83e029a5da78451212e3283d83
	Message-Authenticator = 0x22d835d6fe511c9016fc9a2b9691f3cb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
	EAP-Message = 0x020900401a0209003b31ba23e5c1721898ca3954317553c86aba0000000000000000bd34249dc56ad087ff883aa9764c69f6d848f370f75db300007a69676779
server (null) {
  PEAP: Setting User-Name to ziggy
Sending tunneled request
	EAP-Message = 0x020900401a0209003b31ba23e5c1721898ca3954317553c86aba0000000000000000bd34249dc56ad087ff883aa9764c69f6d848f370f75db300007a69676779
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "ziggy"
	State = 0x7f5c17f37f550df77f9cb88e74ec1077
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[ldap] 	expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] 	expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for ziggy with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x010a00331a0309002e533d35394543324543313042363837423735413339424133433941384445383036433041333933333741
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7f5c17f37e560df77f9cb88e74ec1077
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010a00331a0309002e533d35394543324543313042363837423735413339424133433941384445383036433041333933333741
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7f5c17f37e560df77f9cb88e74ec1077
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.32.156.5 port 32768
	EAP-Message = 0x010a005b19001703010050c19cd32624e8cddabf0fa2387505602c4bc0164f92e8273d1849e420b04920d6d29e169b5f4fa18e031d3ac445c78f18bcb48b3c63a4cdd5f9dc9e4d07106ec30daedb164ac1fa19c911a240f1447684
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83e12aa5da78451212e3283d83
Finished request 10.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=1, length=235
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x020a002b1900170301002009cecc97373c0400e41ea22d3d29d81d3ff006fa9ecd4b3afca62b77fa8c953a
	State = 0xe620bc83e12aa5da78451212e3283d83
	Message-Authenticator = 0xc7631b4d93c923d6460500dd33b4566d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
	EAP-Message = 0x020a00061a03
server (null) {
  PEAP: Setting User-Name to ziggy
Sending tunneled request
	EAP-Message = 0x020a00061a03
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "ziggy"
	State = 0x7f5c17f37e560df77f9cb88e74ec1077
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[ldap] 	expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] 	expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group session {...}
[radutmp] 	expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] 	expand: %{User-Name} -> ziggy
++[radutmp] returns ok
+- entering group post-auth {...}
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.32.197.139:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to
/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=ziggy,ou=users,o=RALDAP/ziggy to 10.32.197.139:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
	EAP-Message = 0x030a0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "ziggy"
[peap] Got tunneled reply RADIUS code 2
	EAP-Message = 0x030a0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "ziggy"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.32.156.5 port 32768
	EAP-Message = 0x010b002b1900170301002049a52fa96dcb33d6f581b75f7657e1e6202fd2c7e22308df4d67c837775995ce
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe620bc83ee2ba5da78451212e3283d83
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=2, length=235
	User-Name = "ziggy"
	Calling-Station-Id = "00-22-fa-a1-ba-e8"
	Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	EAP-Message = 0x020b002b19001703010020eea6cdab5fcb5553d5c76ec1ef19d42396ed439a838b0d35367cfdda86fef168
	State = 0xe620bc83ee2ba5da78451212e3283d83
	Message-Authenticator = 0xa6bc090d74217df806b10f83260e7a30
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
[sql] 	expand: %{User-Name} -> ziggy
[sql] sql_set_user escaped user --> 'ziggy'
[sql] 	expand: %{User-Password} ->
[sql] 	expand: %{Chap-Password} ->
[sql] 	expand: INSERT INTO radpostauth
(username, pass, reply, authdate)                           VALUES (
                        '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
            (username, pass, reply, authdate)
 VALUES (                           'ziggy',
'',                           'Access-Accept', '2011-06-08 10:54:22')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
                   (username, pass, reply, authdate)
        VALUES (                           'ziggy',
       '',                           'Access-Accept', '2011-06-08
10:54:22')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[ldap] returns noop
++[exec] returns noop
Sending Access-Accept of id 2 to 10.32.156.5 port 32768
	User-Name = "ziggy"
	MS-MPPE-Recv-Key =
0x24ed6bc6b1501b91115a0aebb258aa071975a0c24c0b284bafbb36992de2da7c
	MS-MPPE-Send-Key =
0xa0a91a481b11147334dc7c5019ac8aa906c8498bc9f165b56fdb1e495a65110c
	EAP-Message = 0x030b0004
	Message-Authenticator = 0x00000000000000000000000000000000
Finished request 12.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=96, length=153
	User-Name = "0018de9a2a1a"
	NAS-Port = 29
	NAS-IP-Address = 10.32.156.5
	NAS-Identifier = "CW32CE0A"
	Airespace-Wlan-Id = 1
	Acct-Session-Id = "4defbab7/00:18:de:9a:2a:1a/12405"
	Acct-Authentic = Remote
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "342"
	Acct-Status-Type = Start
	Calling-Station-Id = "0.0.0.0"
	Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defbab7/00:18:de:9a:2a:1a/12405",User-Name = "0018de9a2a1a"'
[acct_unique] Acct-Unique-Session-ID = "7fab12adbf4fb3ac".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "0018de9a2a1a", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] 	expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] 	expand: %t -> Wed Jun  8 10:54:25 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] 	expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] 	expand: %{User-Name} -> 0018de9a2a1a
++[radutmp] returns ok
[sql] 	expand: %{User-Name} -> 0018de9a2a1a
[sql] sql_set_user escaped user --> '0018de9a2a1a'
[sql] 	expand: %{Acct-Delay-Time} ->
[sql] 	expand:            INSERT INTO radacct
(acctsessionid,    acctuniqueid,     username,              realm,
       nasipaddress,     nasportid,              nasporttype,
acctstarttime,    acctstoptime,              acctsessiontime,
acctauthentic,    connectinfo_start,              connectinfo_stop,
acctinputoctets,  acctoutputoctets,              calledstationid,
callingstationid, acctterminatecause,              servicetype,
framedprotocol,   framedipaddress,              acctstartdelay,
acctstopdelay,    xascendsessionsvrkey)           VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,
  '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0',
'0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
             '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[attr_filter.accounting_response] 	expand: %{User-Name} -> 0018de9a2a1a
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 96 to 10.32.156.5 port 32768
Finished request 13.
Cleaning up request 13 ID 96 with timestamp +20
Going to the next request
Waking up in 2.1 seconds.
Cleaning up request 3 ID 249 with timestamp +17
Cleaning up request 4 ID 250 with timestamp +17
Cleaning up request 5 ID 251 with timestamp +17
Cleaning up request 6 ID 252 with timestamp +17
Cleaning up request 7 ID 253 with timestamp +17
Cleaning up request 8 ID 254 with timestamp +17
Cleaning up request 9 ID 255 with timestamp +17
Cleaning up request 10 ID 0 with timestamp +17
Cleaning up request 11 ID 1 with timestamp +17
Cleaning up request 12 ID 2 with timestamp +17




More information about the Freeradius-Users mailing list